The Investigation Timesuck

investigation_s1 – 2@2x.png

The investigation begins from a single security alert.  

Security analysts face a daunting challenge for each security alert

  • Is this a credible threat? 

  • If so, what is the root cause?

  • What is its scope?


The timeline represents the findings from Ponemon's 2019 Cost of a Breach report illustrating the long average periods of time to recognize, investigate, and remediate a breach.  

Lateral movement, account switching, and simple evasion techniques, escape basic methods for grouping alerts (e.g. from the same host or user)  

The challenge of linking threat activity together is compounded when different analysts triage related alerts


Cloud systems and containers may have changed or no longer exist when the investigation begins, creating impassable gaps to recover attack steps


Spyderbat differs from existing approaches by mapping causal connections between user sessions, processes, files, network connections, machines and containers across a stateful Operations Plane. This provides the groundwork for attack tracing.  

Spyderbat fuses security data, such as third party alerts from SIEM or Cloud Monitoring services, and enriched context as they occur to the Spyderbat Operations Plane.  Causal connections highlight relationships between security events, colored by the additional context, identifying the attack from its entry point to its current state. 

Stateful representation of activities allow attack traces to capture attack paths even when traversed through hybrid and cloud environments.

Spyderbat Flags identify uncommon activities or system behaviors.  These activities are rarely sufficient to require investigation when seen in isolate.  They act as additional context to corroborate attack activity when causally linked to other flags or third-party security data. 

Extensible and easy-to-create, Spyderbat Flags are provided by Spyderbat and through community contribution. 

Spyderbat dramatically reduces security investigation time from days to hours by providing security analysts with all causally connected threat activity regardless of whether it is separated by time, systems, users, and other parameters.